This post discusses business continuity and disaster recovery.

WHAT IS BUSINESS CONTINUITY?

Business continuity aims to address disruptions to business operations to minimise the impact of a mishap on business operations and performance. During the pandemic, for example, businesses faced enormous pressure to adopt temporary measures that would allow them to continue their operations as best as possible. In this case, business continuity often involved giving employees the tools required to work from home.  

Business continuity involves a planning process, the outcome of which is a business continuity plan. This typically begins with a risk assessment and a business impact analysis. Together, these outputs help stakeholders determine the required scope of the business continuity plan while also considering any regulatory or legal implications. Many business continuity plans focus heavily on information technology (IT) and communications systems, given their central role in most businesses.

WHAT IS DISASTER RECOVERY?

Disaster recovery planning involves resolving the underlying issue, whether a data breach, system failure, or any other unexpected event. Disaster recovery assumes the interruption of business operations “as usual” by events such as power outages, natural disasters, or just plain human error. Rather than simply finding a way to mitigate the damage caused by the event, disaster recovery focuses on getting business back to normal. 

Hence, disaster recovery focuses on the immediacy of an undesired event and often happens alongside business continuity. Whereas business continuity concerns working through a disruptive event. A disaster recovery process comprises several stages: identifying the incident’s source to applying various ways to fix it. To that end, it concerns data recovery and the recovery of damaged or malfunctioning hardware and software applications.

HOW BUSINESS CONTINUITY AND DISASTER RECOVERY ARE CONNECTED

Business continuity (BC) and disaster recovery (DR) are essential to an organisation’s overall risk management strategy. BC and DR plan need to work together to mitigate the business impact of a potential disaster. A business continuity strategy with a disaster recovery plan would be effective, and more than disaster recovery is needed to ensure business continuity. 

Both business continuity and disaster recovery are equally important since they provide specific procedures and strategies on how a business will resume after a crisis. A business continuity plan ensures that business-critical functions are unhindered when disaster strikes. It also requires a disaster recovery plan that provides all information technology (IT) systems, software and applications are accessible and recoverable.

IMPORTANCE OF BUSINESS CONTINUITY AND DISASTER RECOVERY

Business continuity planning and disaster recovery are vitally important disciplines for any organisation. If necessary data is lost, there can be severe impacts on the ability of the organisation to stay in business. The consequences can be catastrophic if any company tries to cope with a disaster without advanced plans.  

Business continuity planning and disaster recovery planning (BCP and DRP) can help companies to minimise the consequences of a catastrophic event. They can also provide peace of mind by making employees and stakeholders feel more comfortable responding to disasters.

SIMILARITIES BETWEEN BUSINESS CONTINUITY AND DISASTER RECOVERY

Business continuity planning (BCP) and disaster recovery planning (DRP) are usually prepared separately. However, whilst the two disciplines differ, they overlap in some areas and work best when developed together. In particular, there are many similarities between BCP and DRP when considering the steps that should be followed to develop effective business continuity and disaster recovery plans. 

Here are some of the similarities between them:

1. Both business continuity (BC) and disaster recovery (DR) are proactive strategies that help a business prepare for unexpected significant events.
2. Both business continuity (BC) and disaster recovery (DR) disciplines take a pro-active and pre-emptive approach, seeking to minimise the effects of the events before they occur instead of having to react without any forethought or preparation.
3. Businesses can use business continuity (BC) and disaster recovery (DR) to prepare for various types of disasters, including pandemics, natural disasters, criminal acts, cyber-attacks, and significant technology failures.
4. Both business continuity (BC) and disaster recovery (DR) require regular review and updates to ensure they are aligned with the company’s goals, the threat landscape, and the operating environment. and
5. Both business continuity (BC) and disaster recovery (DR) require regular testing to prove their effectiveness.

HOW BUSINESS CONTINUITY AND DISASTER RECOVERY OVERLAP

Although disaster recovery is a subset of business continuity, the methods can overlap. Following is a list of functional similarities:

1. Business continuity (BC) and disaster recovery (DR) emphasise protecting staff, other stakeholders, and critical assets. 
2. Business continuity (BC) and disaster recovery (DR) prioritise activities and facilities that must resume operations quickly.
3. Business continuity (BC) and disaster recovery (DR) anticipate and analyse potential risks and threats, including events impacting equipment and physical facilities or disrupting a distributed platform. and
4. Business continuity (BC) and disaster recovery (DR) outlined step-by-step plans to avoid damage and disruption and recover from disasters.

DIFFERENCES BETWEEN BUSINESS CONTINUITY AND DISASTER RECOVERY

The differences between Business Continuity and Disaster Recovery can be summarised as follows: 

1. Business continuity focuses on keeping normal business activities operational during a disaster, while disaster recovery focuses on restoring data access and IT infrastructure after a disaster. In other words, BCP is concerned with the continuity of operations, and disaster recovery is involved with recovery.
2. Business continuity and disaster recovery each have different goals. Effective business continuity plans limit operational downtime, whereas effective disaster recovery plans limit the impact of technology failures. Addressing aligned business continuity and disaster recovery plans is the best way for organisations to prepare for disastrous events.

BUSINESS CONTINUITY PLAN VS DISASTER RECOVERY PLAN

BUSINESS CONTINUITY PLANNING

Business continuity planning, in general, is a high-level process that focuses on critical operations within an organisation that needs to be running to maintain a healthy level of service. If the plan is implemented effectively, the organisation should be able to continue offering products and services to customers with minimal disruption during and immediately after a disaster. It is also essential to address other stakeholders’ issues, such as vendors and partners, as the effects of a disaster can also affect their operations. 

Consequently, a business continuity plan (BCP) must cover all aspects of disaster preparedness in an organisation, including prevention, mitigation and recovery. These broad categories of actions must be well-defined for each risk and disaster scenario. This can mean the difference between survival and a complete shutdown. BC planning achieves these objectives through relentless analysis and isolation of critical business processes and threats. This helps the company create a priority list of crucial functions, resources including employees and infrastructure not limited to IT.

Companies often outline their BC and DR plan in two documents: business continuity (BC) and disaster recovery (DR).

1. Business Continuity Plan: A business continuity plan (BCP) explains how the company maintains essential functions during and after a disruption. This document focuses on the business and describes how different teams should continue operating under unusual circumstances.

2. Disaster Recovery Plan: A disaster recovery plan (DRP) focuses on establishing infrastructure on secondary sites and ensuring no data loss. This plan also explains how to restore normal IT operations to full strength.

Business continuity (BC) and disaster recovery (DR) plans may be prepared separately, but some businesses use a single document for both plans. If these plans are prepared independently, they would be referred to as a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). However, if these plans are created together, they would be referred to as the ‘Business Continuity and Disaster Recovery (BCDR) plan.

GOALS OF BUSINESS CONTINUITY AND DISASTER RECOVERY (BCDR) PLANNING

Here are five goals an organisation can use to fortify its business continuity and disaster recovery (BCDR) plans.

1. ASSESS THE STATE OF BUSINESS: Assessing the current state of an organisation can help identify the threats and set priorities for remediation efforts. 
2. FIND WEAKNESSES AND PROVIDE SOLUTIONS: The risks should be evaluated regularly to identify gaps that could disrupt business operations and jeopardise BCDR strategies. 
3. REVIEW AND TEST THE PLAN: Review the BCDR plan yearly to ensure it remains current and covers all aspects of the business for rapid recovery. 
4. IDENTIFY THE LOCATION FOR DATA STORAGE: Identifying where critical business data and assets are stored is a crucial objective of BCDR planning. 
5. KNOW THE DISASTER RECOVERY TEAMS: Knowing recovery personnel, their roles and how they can be reached during an emergency is another essential goal of a business continuity and disaster recovery (BCDR) plan.
   

NEED FOR AN ORGANISATION TO HAVE A BUSINESS CONTINUITY AND DISASTER RECOVERY PLAN

Business continuity and disaster recovery plans help organisations prepare for potentially disruptive events before their occurrence. It enhances an organisation’s ability to continue business operations with little disruption and minimises the risk of a natural or man-made disaster.

Organisations without a BCDR plan cannot survive or recover from a major disaster. The effects of large-scale disasters can shut down operations. More than 90 per cent of companies without a DR plan that suffers a major disaster are out of business within 12 months. A BCDR plan is like an insurance policy for an organisation. BCDR programmes help an organisation to reduce overall risk, get back up and running after an outage or disruption, mitigate the risk of data loss and protect against reputational damage.

BUSINESS CONTINUITY PLAN

A disaster recovery plan (DRP) helps an organisation transition from alternative business processes to normal ones. 

Here is a list of everything that must be included in a business continuity plan (BCP):

• An executive summary with a term glossary.
• Up-to-date risk analysis, vulnerability assessments, and business impact analysis (BIA).
• A distribution list that explains where the company store copies of the plan, who needs access to the document and links to any relevant files (e.g., an evacuation plan).
• All relevant legal, contractual, coverage, and regulatory obligations.
• An overview of who, when, and why worked on the plan.
• The objectives of the BC plan.
• An overview of geographical risks and factors.
• A list of the most critical aspects of the business, plus an explanation of how quickly (and to what extent) they must be back online in case of an incident.
• Guidelines on how and when to use the plan.
• Thorough assessments of disaster scenarios, their likelihood, and their impact (that is, costs of repair, disruption to end-user services, potential financial and legal repercussions, etc.).
• An overview of the incident response team, plus contacts of all go-to personnel in times of crisis.
• Detailed guides for preventing incidents from happening.
• Instructions on how to identify different threats.
• Step-by-step response plans for each disaster scenario.
• Any changes in management procedures that take effect during and following an incident.
• Lists of secondary office sites and instructions for work-from-home.
• A schedule for BCP reviewing, testing, and updating.
• A clear-cut communications plan for dealing with suppliers, third-party partners, and the media.
• Metrics and Key Performance Indicators (KPIs) for measuring the impact and recovery stages (such as Maximum Tolerable Downtime (MTD), and
• Training instructions for team leaders and individual employees.

DISASTER RECOVERY PLANNING

Disaster recovery planning (DRP) can be viewed as a more specific part of a BCP. Although some people narrow the focus of a DRP to information systems and business data, it can also refer to protocols outside the information technology (IT) scope. In other words, even though most businesses are now heavily IT-reliant, a DRP can be more than just about IT. It could include guidance on restoring communication or finding a secondary business location to accommodate critical operations and systems. 

Even with an extended scope of a DRP, it is essentially a response strategy – mainly being a component of a BCP. It lists all necessary technologies, procedures and objectives to recover after a disaster quickly. The recovery could pertain to any point of failure across all operations, including data loss, hardware failure, network outages, and application failure.

THE PURPOSE OF A DISASTER RECOVERY PLAN

The primary purposes of a Disaster Recovery Plan (DRP) include the following:

1. PREVENTION PURPOSE (PRE-DISASTER): This consists of pre-planning and pre-disaster measures to minimise the overall impact of a disaster on strategies and resources. 

2. CONTINUITY PURPOSE (DURING A DISASTER): This consists of actions and strategies employed during a disaster. 

3. RECOVERY PURPOSE (POST-DISASTER): This consists of actions and strategies to minimise the overall impact of a disaster after its occurrence.

DISASTER RECOVERY PLAN

Here is a list of everything that a company’s disaster recovery plan (DRP) should contain:

• A statement of intent and the plan goals.
• An overview of who and when created the plan.
• A thorough analysis of the IT system, networks, and data the company protects with a DR plan.
• Inventory of all relevant hardware and software.
• An in-depth IT risk analysis.
• An overview of the system’s current tech stack.
• Guidelines for when to use the plan.
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) details.
• Recovery Time Objective specifies the amount of time needed to recover apps and data, while Recovery Point Objective specifies how often the team performs data backups in normal circumstances).
• A list of all go-to recovery personnel responsible for managing the DR plan’s execution.
• Step-by-step instructions on restarting, reconfiguring, rehosting, and recovery systems in times of crisis.
• List all the tools needed for the DR execution (plus guides on properly using them).
• All necessary authentication assets and all the required passwords.
• Detailed instructions on preventing incidents and proactively protecting the system – e.g., using anti-malware tools and creating daily backups.
• The critical functions suffer downtime if the information technology (IT) system goes down.
• All the relevant info about the secondary IT infrastructure that takes operation over in case of an incident.
• A schedule for planned reviews and updates to the strategy, and
• Training instructions for employees responsible for managing the IT system and spearheading the DR process. Penetration testing is a common way companies test the readiness of their disaster recovery team).

 HOLISTIC APPROACH TO BUSINESS CONTINUITY AND DISASTER RECOVERY (BCDR) 

A holistic approach to business continuity and disaster recovery (BCDR) ensures that an organisation covers all business activities in case of a disaster by preparing ahead. Business continuity makes business functions available to end-users, so there is no loss of revenue. At the same time, disaster recovery enables the team to restore standard information technology (IT) operations as quickly as possible.

The combined use of the two practices has the following benefits:

1) Regardless of whether the company runs into a minor interruption or a full-blown disaster, the team has a clear plan of action to respond best.

2) No matter what happens, the length of service downtime will be minimised.

3) The company does not need to rely on improvisation at any stage of the incident response process.

4) DR plans will better align with the business’ best interests.

5) BCDR planning identifies weaknesses that a team working solely on one strategy might miss, and

6) A BCDR plan gives employees clear-cut instructions on how to act in the worst scenarios, so there is less stress in normal circumstances and less panic during incidents.

See the full video on Business Continuity and Disaster Recovery: https://youtu.be/Duda6MQT0mo